my.tado.com : support for 2FA

Hi. There is a ETA for support 2FA for the accesso to my.tado.com ?


Best regards

54
54 votes

Active · Last Updated

Comments

  • Given the IoT connectivity I would also really like to suggest Factor Authentication for the tado system accounts as well as for the support accounts.

  • Hi,

    Please put me down as a +1 for 2FA/MFA. I'm a little concerned that all it would take is a password hack and a nefarious person could wreak havoc on my heating system - and/or lock me out of it.

    I also note that I don't get emails when a new browser/device signs in to my account. From a security standpoint this a basic feature of most online services nowadays and would at least flag to users whether something was afoot with their account. Perhaps this could be paired with some sort of basic audit logging.

  • Just a few more thoughts on this one, I guess that somebody could also get into your account and see whether you're at home or not.

  • Please could you give us all an update on this. Like the posters above have said this is actually very important.

  • No answer, no ETA after one and a half year?

  • Hi @eMa,

    +1 for 2FA.

    If ideas are not supported immediately by enough people they tend to drift down the pages and get forgotten about.

  • +1 for 2FA.

    Something like this needs to be secured/locked down.

  • Thank you for bringing up the request for 2FA.


    We know that a small subset of "power users" is really interested in this. However, this is not something that the mass market cares for at this time. We are waiting for the right time to start looking into this.

    But please keep this topic active and keep upvoting.

  • @Jurian sorry to disagree, but I don't think 2FA/MFA is a power-user thing anymore.

    Apple, MIcrosoft and Google have made this mainstream, almost every major SaaS vendor supports 2FA as either an SMS or an authenticator code - to the point that both Microsoft and Google have made their authenticators totally public domain and any software author can hook to their API to get a seed and QR code link - seriously easy for everyone.

    Add to that the fact that almost everyone uses some kind of app or web based banking and it's a long time since I've been able to log on to any bank without MFA.

    SAML support is everywhere, and SMS gateways cost little, but authenticator support is free. This sounds like a poor excuse. Besides, making it optional covers all the bases - turn it on if you want it.

    @legsak1mbo is right in essence, users are trusting access to their home IOT to you, even the details of payment plans and other personal data. For the security of your reputation and your customers peace of mind, implementing 2FA/MFA should be high on your list.

    For the record, it took one of my developers less than 2 days to roll out MFA protection on our support portal via SAML and Google/MS Authenticator and SMS. No excuses please!

  • Klaus_Ludwig
    Klaus_Ludwig ✭✭
    edited February 23

    As we all know, the harsh reality in the business world is that any investment of resources has to have a perceived financial payback and to have a financial payback any idea has to be something that will become valuable to a significant percentage of key customers. If resources (such as the necessary skills and time) are not immediately available or are prioritised on other tasks that are more likely to have payback then this may sit on the shelf for sometime. The vision of a company’s senior management is critical in steering the company not just towards prosperity, but towards a better future in all respects. I hope that Tado finds the right direction. It’s hard to get a good reputation. In the world of social media it is very easy to lose it. It is obvious that there are people on this forum with certain skills and knowledge. I can only hope that Tado management manage to pick up on some of the ideas that will help to keep them up with and also to set them apart from their competitors. Hive already use 2FA.

  • @XKRMonkey,

    Totally agree that the main motivating factor for implementation of 2FA/MFA controls is going to be the perceived risk of incurring a very significant GDPR fine and also the associated damage to reputation.

  • @Jurian There are a lot of smart, on-the-point comments above.

    A further official answer from Tado is necessary.

    2-factor is NOT "power". It is de-rigeur in a world where every week we see another major international news headling about hacks and data breaches, almost always occurring because such basic precautions as 2-factor authentication were not taken.

    A Tado° controlled home heating/cooling system is a "cyber-physical" system; something where I.T. can impact the real physical world. It can cause physical harm (remotely shutting off heating in a dwelling which is unoccupied during a cold snap), and can even cause medical harm (a semi-dependent person who is checked-in on ~daily could suffer hours of too-cold or too-hot before their caretaker came and found them).

    2-factor isn't expensive to implement (Google Authenticator for example), and it's common enough now (Google, Microsoft, Amazon, all financial services in Europe and many in north America, etc, etc, etc, etc) that users shouldn't have much trouble with it (if it's done well).

    It's long past time.

    -Jay Libove, CISSP(retired), CIPP/US, CIPT, CISM(retired)

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!